Lapsus$ Breached T-Mobile
Industry: N/A | Level: Strategic | Source: Krebs On Security
Through review of activity from data extortion group Lapsus$, independent researcher, Brian Krebs, has identified a breach of wireless network operator, T-Mobile in March 2022. Krebs obtained private chat messages from the Lapsus$ members and indications are the group has breached T-Mobile multiple times, obtaining source code for various company projects to extort the communications provider for financial gain. T-Mobile has confirmed the breach, however, has stated customer and government data was not compromised in statements to Bleeping Computer, “The systems accessed contained no customer or government information or other similarly sensitive information, and we have no evidence that the intruder was able to obtain anything of value.” Chat logs, examined by Krebs, dove into the group’s operations thanks to the member’s candid conversations. The Lapsus$ hackers obtained access from purchasing compromised systems and credentials on the Russian Market. Additionally, the group has enticed insiders to supply access, with T-Mobile employees providing internal access and capabilities to Lapsus$ hackers to conduct “SIM swaps.” Although the hackers were shut out from time to time with T-Mobile employees logging into their own account or conducting a password change, Lapsus$ was able to discover or purchase another set of T-Mobile’s VPN credentials. A T-Mobile customer management tool, Atlas was compromised by Lapsus$ on March 19th, 2022, with the threat actors attempting to access accounts related to the FBI and Department of Defense however, the information required “additional verification procedures before any changes could be processed” thwarting the attackers’ attempts to access government account data
Lapsus$ Breached SuperCare Health in July 2021
Industry: Healthcare | Level: Strategic | Source: CySecurity
SuperCare Health a respiratory care provider located in California disclosed a data breach that occurred between July 23rd and 27th, 2021 impacting 318,379 patients. Data extortion group Lapsus$ is identified to be responsible for the attack. Data compromised by the hackers include patient names, date of birth, and medical and insurance information. Only some users had their social security numbers and/or driver’s license information were compromised.
Shedding light on techniques to abuse MFA, Ars Technica reports of a tactic known as MFA prompt-bombing.
Lapsus$ Hacks Globant
Industry: Technology: Information Technology & Software | Level: Strategic | Source: Techmonitor
Information Technology and Software company, Globant has suffered a data breach by Lapsus$, as reported by TechMonitor. Despite the arrest of seven Lapsus$ members, the remaining members are undeterred following their “week-long vacation.” The data extortion group has released 70GBs of data from Globant that includes source code and admin passwords. Typically shared in Lapsus$ data leaks, an image shows Globant clients that include “BNP Parabas, Facebook, healthcare giant Abbot, Stifel and DHL” indicating potentially widespread implications of the hack. Input from researchers at VX-Underground and security specialist Brian Higgins from the company, Comparitech suggest Globant’s breach was due to poor “password hygiene.”
Microsoft Confirms LAPSUS$ Hack & Analysis
Industry: Technology | Level: Strategic | Source: Microsoft
Microsoft Security teams provide analysis on Lapsus$ (tracked by Microsoft as DEV-0537) data extortion group. Microsoft also confirms their data breach from Lapsus$ compromising project source code for Bing and Cortana. Microsoft statement for the impact and cause details “no customer code or data was involved in the observed activities. Our investigation has found a single account had been compromised, granting limited access. Our cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity.” Microsoft shares details of observed tactics, techniques and procedures (TTP). Initial access was obtained fairly similar to most threat actor groups, gathering credentials from malware information-stealers such as redline, purchasing through access brokers and recruiting target company insiders (specific industries targets include those in telecommunication and technology-related.) In regard to reconnaissance and privilege escalation, the group targets vulnerabilities on internal servers and searches internal repositories for credentials and secrets. The group gathers intelligence from joining crisis calls and/or observing internal message channels to understand the organization’s incident response workflow. In the final stages of the attack, the hackers often create global admin accounts on cloud tenants “If they successfully gain privileged access to an organization’s cloud tenant (either AWS or Azure), DEV-0537 creates global admin accounts in the organization’s cloud instances, sets an Office 365 tenant-level mail transport rule to send all mail in and out of the organization to the newly created account, and then removes all other global admin accounts, so only the actor has sole control of the cloud resources, effectively locking the organization out of all access. After exfiltration, DEV-0537 often deletes the target’s systems and resources.” The attackers utilize a VPN for data exfiltration however, are cognizant of alerts such as those involving impossible travel, and select a sensible egress location geographically based on their target.
Reported by the BBC, London Police has arrested seven teenagers that are associated with the Lapsus$ data extortion group.
Okta Data Breach Update
Industry: Technology | Level: Tactical | Source: Okta
Okta provides an update on the company blog regarding their security breach by Lapsus$. The Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes. The screenshots shared from Lapsus$ are determined to have been obtained through remote desktop (RDP) access to a Sitel support engineer’s workstation. Despite the support engineer’s privileges identified as “SuperUser,” Okta emphasizes the role “is limited to basic duties in handling inbound support queries.” The forensic investigation conducted by Sitel and a third-party security firm extensively reviewed activity from “January 16-21, 2022 when the threat actor had access to the Sitel environment.” From Okta, their investigation was triggered from an event on January 20, 2022, at 23:18 UTC with an alert for “a new factor was added to a Sitel employee’s Okta account from a new location.” The associated Okta account was contained by Okta on January 21st, 2022 at 00:18 UTC. An incident timeline has been provided by Okta (below) dating the notable events from January 20th, 2022 to March 22nd, 2022 with Lapsus$ claiming a breach via screenshot.
- Anvilogic Scenarios:
- Okta Suspicious Login then Priv Esc and AOO
- Okta Suspicious Login then Account Manipulation
- Anvilogic Use Cases:
- Okta: Security Threat Detected
- Okta: API Token Created
- Okta: User/Group Privilege Grant
- Okta: Application Modified or Deleted
- Okta: Update or Delete sign on policy
- Okta: MFA Reset or Deactivated
- Okta: Policy Modified or Deleted
- Okta: Policy Rule Modified or Deleted
- Okta Multiple signins from Same IP address
- Okta Impossible Travel Sign-In
- Okta: Auth from Suspicious Country
- Okta: Profile Updated
- Okta: User Created
Okta provided an update on the company blog regarding their security breach by Lapsus$. Okta’s forensic investigation affirms the activity originated from a business solution company named, Sitel and their acquired company, Sykes.
366 customers may have been breached, and the exposed data may have been “viewed or acted upon.”
Okta authentication provider is investigating claims of a data breach from data extortion group Lapsus$.